Does mamba support the Windows certificate store?

[dhirschfeld]

I'm not sure if this is a problem with mamba or just the config on my machine but I'm seeing SSL errors against a repo server using self-signed certificates:

stanwell/uat/noarch      [>                   ] (00m:06s) SSL connect error
stanwell/uat/win-64      [>                   ] (00m:06s) SSL connect error

Setting ssl_cerify: false in my .condarc "fixes" the problem - but that's less that ideal.

Before going down the rabbit-hole I just wanted to confirm that mamba will use the Windows certificate store?

[dhirschfeld]

IIUC to use the Windows certificate store you need to have curl compiled with the --with-schannel flag:

https://curl.haxx.se/docs/install.html

• https://github.com/microsoft/vcpkg/blob/3a7899deb743d0d2198349d032f4f10b8702bce6/ports/curl/CONTROL#L30-L32
• https://github.com/microsoft/vcpkg/blob/3a7899deb743d0d2198349d032f4f10b8702bce6/ports/curl/portfile.cmake#L40

[dhirschfeld]

Update:

...it seems OpenSSL may support the Windows Credential Store via an option CURLSSLOPT_NATIVE_CA

https://curl.haxx.se/libcurl/c/CURLOPT_SSL_OPTIONS.html

[dhirschfeld]

Note:
mamba does seems to work when connecting from on-prem but maybe it's connecting to the HTTP endpoint. I'm only seeing this error when trying to install from a cloud VM (where HTTPS is enforced)

[wolfv]

For micromamba we're using SChannel and SecureTransport now and I tested it (using badssl.com, very useful) to make sure it works.

I think cURL on Windows has been compiled against SChannel for a while now (on conda-forge). Although I am not sure if openssl is also available in that build.

You could try to set a specific backend using the environmnet variable:

CURL_SSL_BACKEND=schannel

For micromamba, we're "forcing" curl to use SChannel and SecureTransport. However, we don't do that for mamba itself right now (since the situation is a bit different, certificates should generally be available in the prefix from the ca-certficates package).

[wolfv]

https://curl.se/libcurl/c/libcurl-env.html

[dhirschfeld]

Thanks for the tip @wolfv! I'll double check with a recent mamba to see what the current situation is and report back...

[wolfv]

Thanks. Through the micromamba work I at least know how we can fix that :)

We can also dynamically set the SSL backend from condarc or some other configuration file, if necessary

[dhirschfeld]

Ok, digging in further and it appears mamba is using schannel:

❯ mamba --version
mamba 0.8.2
conda 4.9.2
❯ mamba install escapism --no-banner

Looking for: ['escapism']

conda-forge/win-64       Using cache
conda-forge/noarch       Using cache
stanwell/uat/win-64      [====================] (00m:06s) 0 Failed
stanwell/uat/noarch      [>                   ] (00m:06s) SSL connect error

# >>>>>>>>>>>>>>>>>>>>>> ERROR REPORT <<<<<<<<<<<<<<<<<<<<<<

    Traceback (most recent call last):
      <snip>
      File "C:\Miniforge\lib\site-packages\mamba\utils.py", line 74, in get_index
        is_downloaded = dlist.download(True)
    RuntimeError: Download error (35) SSL connect error [stanwell/uat/noarch/repodata.json]
    schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) - The revocation function was unable to check revocation because the revocation server was offline.

...however it's failing due to being unable to connect to our revocation server 🤦

It might be nice to have some way to pass through --ssl-revoke-best-effort but at the end of the day it's a network configuration issue so I'll go ahead and close this as Not A mamba Error!

I guess I was thrown by the fact that conda seems to happily ignore revocation errors. Anyway, thanks for yiour help debugging @wolfv!

[wolfv]

Thanks @dhirschfeld for looking into this, at least we got some payoff of the recent changes to print more cURL error strings :)

Also, there is a Micromamba flag for this now and you can use the env var MAMBA_SSL_NO_REVOKE for mamba as well.

Best effort is something we haven't implemented yet. I wanted to refactor a bit how we pass options to curl, and I can try to keep that in mind...

[dhirschfeld]

at least we got some payoff of the recent changes to print more cURL error strings

The error message is excellent! 🎉
IMHO, having good error messages is critical for any production code.

Being able to set --ssl-no-revoke is great - I'll give that env var a go but I've also asked the network peeps to allow traffic through the firewall to our revocation server.

[dhirschfeld]

Just posting here to mention that MAMBA_SSL_NO_REVOKE works great! 👍

> mamba install escapism

Looking for: ['escapism']

pkgs/msys2/win-64        [====================] (00m:00s) Done
pkgs/msys2/noarch        [====================] (00m:00s) Done
pkgs/main/noarch         [====================] (00m:00s) Done
pkgs/r/noarch            [====================] (00m:00s) Done
pkgs/r/win-64            [====================] (00m:00s) Done
pkgs/main/win-64         [====================] (00m:01s) Done
stanwell/uat/win-64      [>                   ] (00m:06s) SSL connect error
stanwell/uat/noarch      [>                   ] (00m:06s) SSL connect error

# >>>>>>>>>>>>>>>>>>>>>> ERROR REPORT <<<<<<<<<<<<<<<<<<<<<<
<snip>

> $env:MAMBA_SSL_NO_REVOKE=1
> mamba install escapism

Looking for: ['escapism']

pkgs/r/win-64            [====================] (00m:00s) No change
pkgs/main/noarch         [====================] (00m:00s) No change
pkgs/r/noarch            [====================] (00m:00s) No change
pkgs/msys2/noarch        [====================] (00m:00s) No change
pkgs/main/win-64         [====================] (00m:00s) No change
pkgs/msys2/win-64        [====================] (00m:00s) No change
stanwell/uat/noarch      [====================] (00m:00s) Done
stanwell/uat/win-64      [====================] (00m:00s) Done
Transaction

  Prefix: C:\Miniforge

  Updating specs:

   - escapism

<snip>